G'day,

I'm curious about a change to the transparent/interception behaviour
between Squid versions 2.7 and 3.1.

I'm using a iptables NAT redirect to send all tcp traffic with dst
port 80 on the FORWARD chain to port 60080 and in my squid.conf I have

"http_port 60080 transparent" for Squid 2.7
"http_port 60080 intercept" for Squid 3.1

I also have the following ACL
"acl intercepted myport 60080"

Squid is running on 192.168.0.112 and a box with 192.168.0.112 as its
gateway is trying to access 64.191.203.30:80.

On Squid 2.7 the "intercepted" acl matches whilst in 3.1 it doesn't.

Digging deeper into the Squid 3.1 source it seems that if a http_port
is set to intercept then the "me" member of ConnStateData, which is
normally the proxy's ip and listening port, is replaced by the pre-NAT
destination ip and port.

client_side.cc: 2959
    if (port->intercepted || port->spoof_client_ip) {
        IpAddress client, dst;

        if (IpInterceptor.NatLookup(fd, me, peer, client, dst) == 0) {
            result->me = client;
            result->peer = dst;
            result->transparent(true);
        }
    }

Thus it seems, for the scenario above, in the Squid 2.7 case
myport = 60080, myip = 192.168.0.112

yet in the 3.1 case
myport = 80, myip = 64.191.203.30

Is this the desired behaviour, and if so, why did this change
somewhere between 2.7 and 3.1?

Cheers,
James Brotchie

Reply via email to